Scalable Cloud-Based Endpoint Security System

ABSTRACT

A scalable cloud-based endpoint security system facilitates a security policy on a plurality of endpoints. Configuration data or commands for implementing a security policy are entered via a web browser of an administrative client device and received at a cloud server. An API server generates a message to a queue of a publication/subscription server that publishes the messages from the queue to one or more subscribing communication servers. A communication server sends the message to an endpoint targeted by the message via a persistent connection that the communication server maintains with the endpoint. In response to the message, the endpoint establishes a connection to the API server. The API server then distributes the configuration data or commands to the endpoint.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/665,368 filed on Jul. 31, 2017 which is incorporated by referenceherein.

FIELD OF ART

The present disclosure relates generally to computer security and morespecifically to a scalable cloud-based endpoint security system.

BACKGROUND

Malware is constantly evolving and therefore software designed to combatmalware must be updated regularly. In large-scale systems, it is oftenchallenging to distribute updates to large numbers of connected endpointdevices in an automatic and efficient way. It is furthermore difficultto scale the infrastructure needed to update those systems as moreconnected endpoints are added. The problem becomes even more challengingwhen endpoints are not connected to the same local area network as theenterprise security server that manages security policies and providesupdates.

SUMMARY

A method is disclosed for updating a security policy on an endpointclient device in a networked computer environment. A command includingconfiguration data for configuring a plurality of endpoints within anenterprise network is received at an applicant programming interface(API) server. A connection request message is sent to a queue of apublication/subscription (pub/sub) server. This connection requestmessage identifies the plurality of endpoints target by the command. Theconnection request message is published by the pub/sub server from thequeue to a subscribing communication server. The communication servermaintains a persistent connection to a subset of the plurality ofendpoints. The communication server receives the connection requestmessage and identifies a target endpoint identified by the connectionrequest message in the subset of the plurality of endpoints. Thecommunication server then sends the connection request message to theidentified endpoint via the persistent connection. The API serverreceives a connection request from the identified endpoint in responseto the identified endpoint receiving the connection request message. Atemporary connection is established between the API server and theidentified endpoint in response to the request. The API servercommunicates the command to the identified endpoint over the temporaryconnection. Following the communication, the temporary connection isterminated.

BRIEF DESCRIPTION OF THE DRAWINGS

The figures (FIGS.) and the following description relate to preferredembodiments by way of illustration only. It should be noted that fromthe following discussion, alternative embodiments of the structures andmethods disclosed herein will be readily recognized as viablealternatives that may be employed without departing from the principlesof what is claimed.

FIG. 1 is a high-level block diagram illustrating an embodiment of asystem environment for managing a set of computing devices.

FIG. 2 is a diagram illustrating an embodiment of a cloud server for acloud-based endpoint security system.

FIG. 3 is a flow diagram illustrating a process for communicating withan endpoint in a cloud-based endpoint security system.

DETAILED DESCRIPTION

Reference will now be made in detail to several embodiments, examples ofwhich are illustrated in the accompanying figures. It is noted thatwherever practicable similar or like reference numbers may be used inthe figures and may indicate similar or like functionality. The figuresdepict embodiments of the disclosed system (or method) for purposes ofillustration only. One skilled in the art will readily recognize fromthe following description that alternative embodiments of the structuresand methods illustrated herein may be employed without departing fromthe principles described herein.

A scalable cloud-based endpoint security system facilitatesimplementation of a security policy on a plurality of endpoints. Thesecurity system is beneficially implemented in a cloud environmentinstead of on a local server on an enterprise local area network. Thecloud implementation enables a highly scalable system that canaccommodate any number of endpoints and can dynamically adapt as thenumber of endpoints changes.

FIG. 1 is a high-level block diagram illustrating a system environment100 for managing a set of computing devices. The system environment 100comprises an administrative client 105, a network 110, a cloud server150, and a set of endpoint computing devices (hereafter referred to as“endpoints”) 120. The system environment 100 may include different oradditional entities.

The administrative client 105 is a computer system configured to receiveinputs from a network administrator to configure a network securitypolicy associated with an enterprise and communicate the networksecurity policy to the cloud server 150 via the network 110. Theadministrative client 105 may furthermore retrieve information relatingto the network security policy from the cloud server 150 via the network110 and present the information relating to the network security policy.In an embodiment, the administrative client 105 executes a web browserapplication to access an administrative web page hosted by the cloudserver 150. The web page may be secured by requiring log in credentialsor another authentication technique to limit access to theadministrative web page to a device or individual having appropriateprivileges. The administrative web page may enable the administrator,via the administrative client 105, to configure various securitysettings for the endpoints 120 on the network 110, access statusinformation relating to the endpoints, issue commands to the endpoints,or perform other administrative tasks relating to the security policy.

The network 110 represents the communication pathways between theadministrative client 105, the cloud server 150, and the endpoints 120.In one embodiment, the network 110 includes a wide area network (e.g.,the Internet). The network 110 can also include one or more enterpriselocal area networks that utilize dedicated or private communicationslinks that are not necessarily part of the Internet. For example, anenterprise computing environment may include endpoints 120 residing ondifferent local area networks associated with the same enterprise. Anadministrative client 105 may also reside on a local area networkassociated with the enterprise. A wide area network (e.g., the Internet)may connect the one or more local area networks of the enterprise toeach other and with the cloud server 150. Other endpoints 110 may becoupled to the wide area network without necessarily being coupled tothe local area network.

In one embodiment, the network 110 uses standard communicationstechnologies and/or protocols. Thus, the network 110 can include linksusing technologies such as Ethernet, Wi-Fi (802.11), integrated servicesdigital network (ISDN), digital subscriber line (DSL), asynchronoustransfer mode (ATM), etc. Similarly, the networking protocols used onthe network 110 can include multiprotocol label switching (MPLS), thetransmission control protocol/Internet protocol (TCP/IP), the hypertexttransport protocol (HTTP), the simple mail transfer protocol (SMTP), thefile transfer protocol (FTP), etc. In one embodiment, at least some ofthe links use mobile networking technologies, including general packetradio service (GPRS), enhanced data GSM environment (EDGE), long termevolution (LTE), code division multiple access 2000 (CDMA2000), and/orwide-band CDMA (WCDMA). The data exchanged over the network 110 can berepresented using technologies and/or formats including the hypertextmarkup language (HTML), the extensible markup language (XML), thewireless access protocol (WAP), the short message service (SMS) etc.

The data on the network 110 may also be communicated via a persistentlow overhead connection such as Web Socket connection. The Web Socketprotocol enables full duplex communication over a single TCP connection.The Web Socket protocol facilitates real-time data transfers via astandardized protocol that enables a server to send content to a clientwithout being solicited by the client, and allows messages to becommunicated in both directions while keeping the connection open.

In addition, all or some of the links can be encrypted usingconventional encryption technologies such as the secure sockets layer(SSL), Secure HTTP and/or virtual private networks (VPNs). In anotherembodiment, the entities can use custom and/or dedicated datacommunications technologies instead of, or in addition to, the onesdescribed above.

Each endpoint 120 comprises one or more computing devices capable ofprocessing data as well as transmitting and receiving data via thenetwork 110. For example, an endpoint 120 may be a desktop computer, alaptop computer, a mobile phone, a tablet computing device, an Internetof Things (IoT) device, or any other device having computing and datacommunication capabilities. In the illustrated embodiment, there are Nendpoints, where N may comprise any number of end points (e.g., tens,hundreds, or thousands of endpoints 120 or more). Furthermore, thenumber of endpoints 120 may change over time as endpoints come onlineand go offline. The endpoints 120 are each configured to execute anendpoint security agent 125 (e.g., a security application) that protectsthe endpoints from malware. For example, the endpoint agent 125 mayinclude capabilities such as a real-time protection capability toprevent the downloading or installation of malware, a scanningcapability to detect existing malware on the endpoint 120, and aremediation capability to quarantine and remove detected malware. Theendpoint agent 125 may furthermore receive commands from the cloudserver 150 to cause the endpoint agent 125 to execute a security-relatedfunction such as running a scheduled scan, updating a plugin thatimplements various security features, and updating malware definitionsused to detect malware.

The cloud server 150 facilitates implementation of a security policy ona plurality of endpoints 120 that form part of an enterprise network.Implementing the security policy may include, for example, deploying orupdating the endpoint agents 125 on the endpoints 120, configuring theendpoint agents 125 based on the security policy, sending commands tothe endpoints to perform various tasks such as running scans orremediating vulnerabilities, and obtaining various security-related datafrom the endpoints such as state information or scan results. Thesecurity policy may be modified via commands received from theadministrative client 105 as described above. A logical diagramillustrating an example embodiment of a cloud server 150 is described ingreater detail in the description of FIG. 2 below.

Unlike a conventional enterprise security server that typically resideson a local area network of the enterprise and may be physicallyco-located with the local area network and the endpoints 120, the cloudserver 150 instead may reside in a cloud environment remote from theenterprise local area network and connected to it via a wide areanetwork such as the Internet. The cloud environment in which the cloudserver 150 executes may be maintained by a third-party cloud computingprovider that provides shared computer processing and data storageresources to the enterprise in an on-demand fashion. In this cloudenvironment, the cloud server 150 is not necessarily implemented on asingle physical server and does not necessarily comprise only a singlephysical storage device. Instead, the cloud server 150 may beimplemented as one or more physical servers, one or more virtualservers, or a combination of physical and virtual servers.

Controlling security policies by a cloud server 150 in a cloudenvironment has several advantages over a conventional securityarchitecture in which a local security server operates on a local areanetwork of the enterprise. First, controlling an enterprise securitypolicy by the cloud server 150 in the cloud environment simplifies theability of third-party providers to administer some or all aspects ofthe enterprise security policy because the third-party provider does notneed direct access to the enterprise local area network. Thus, anenterprise can more easily offload some of the administrative burden ofmanaging enterprise security to a dedicated third party service. Second,controlling an enterprise security policy at the cloud server 150 in thecloud environment may simplify control over endpoints 120 that are noton the enterprise local area network but are connected to the Internetbecause communications do not have to go through the a firewall of thelocal area network. Thus, an enterprise may avoid having to updateendpoints via virtual private network (VPN) connections or other complexnetworking tools. Third, implementing the security server as a cloudserver 150 in the cloud environment simplifies scalability of the systemas the number of endpoints 120 changes. For example, instead of anenterprise having to acquire and configure more physical servers as thenumber of endpoints 120 increases and the capacity limits are reached,the enterprise may simply obtain control of additional availablecomputing resources in the cloud environment. Using existing third-partycloud computing services, this type of scaling can be achieved in aseamless and substantially automated manner without significant burdenon the administrator.

While the system environment 100 is discussed herein as serving a singleenterprise, the environment 100 may include multiple instances of thecloud server 150 each serving different enterprises and having differentmanaged endpoints 120. Furthermore, a single cloud server 150 may servemultiple different enterprises managing different sets of endpoints 120according to different security policies configured by respectiveadministrative clients 105. Additionally, computing and storageresources of the cloud server 150 may be shared with other enterprisesand used in an on-demand fashion.

FIG. 2 is a block diagram illustrating an example embodiment of a cloudserver 150 communicating with a browser 220 of the administrative client105 and the endpoints 120. The cloud server 150 comprises one or moreinstances of a web server 140, a data store 210, one or more instancesof an application programming interface (API) server 240, apublication/subscription (pub/sub) server 250, and one or more instancesof a communication server 260.

In the diagram of FIG. 2, the connections represent logical connectionsbetween components and do not necessarily represent direct physicalconnections. For example, the connections may occur over a network.Furthermore, the servers 140, 240, 250, 260 and store 210 of the cloudserver 150 illustrated in FIG. 2 represent functional components of thecloud server 150 and do not necessarily represent different physicalservers. For example, the servers 140, 240, 250, 260 may each beimplemented as a virtual server. Multiple virtual servers may execute ona single physical server or a single virtual server may be distributedacross multiple physical servers. Furthermore, the data store 210 maycomprise a cloud storage system that may occupy only a portion of ashared physical storage device or may be distributed across multiplephysical storage devices.

The server components of the cloud storage 150 may be implemented as oneor more processors and one or more non-transitory computer-readablestorage media that store computer-readable storage instructions thatwhen executed by the one or more processors, cause the one or moreprocessors to carry out functions attributed to the respective servers140, 240, 250, 260 described herein.

The browser 220 runs on the administrative client 105. The browser 220is a conventional browser that runs on a client device and provides theadministrator with a user interface with which to interact with the webserver 140. The administrator uses a web site, accessed using the webserver 140, to access an account with a unique account identifier. Thisaccount is used to send commands to the endpoints 120 (e.g., toconfigure the endpoints or perform a specified task). Configuration isdone, for example, on a machine-by-machine basis, enterprise-wide, or ongroups of endpoints. Configuration includes setting security policies(e.g., firewall policies, real-time protection policies), schedulingscans, and updating malware definitions. Furthermore, the configurationmay provide machine identifiers for each of the endpoints 120 to bemanaged by the cloud server 150.

The web server 140 provides a web interface (e.g., a web page) that isaccessible to the administrative client 105 using the browser 220. Theweb server 140 processes requests received from the browser 220 (e.g.,via HTTP, HTTPS, or other protocol) and delivers one or more web pagesto the administrative client in response to the requests. The one ormore web pages may include an interface to enable an administrator toconfigure a security policy of the endpoints 120, send commands to theendpoints, or obtain various information from the cloud server 150 orendpoints. In an embodiment, multiple mirrored instances of the webserver 140 may be available that each serve substantially identical webpages and can operate interchangeably. For example, different instancesof the web-server 140 may serve different administrative clients 105based on different geographical locations or other criteria.

The API server 240 provides business logic that facilitatesimplementation of the security policy. The API server 240 receivescommands (e.g., to update a configuration or perform a specified task)from the web server 140 representative of inputs provided by theadministrator via the browser 205. The API server 240 may communicateusing an API comprising a limited predefined set of commands that can beprocessed by the API server 240. For example, in one embodiment, aREpresentational State Transfer (REST) abstraction may he used toimplement the API. The API server 240 processes configuration changes tothe security policy based on the commands and stores configurationchanges to the data store 210. For example, the API server 240 mayprocess the inputs to determine identifiers for a plurality of endpoints120 that are targets of a command and update records associated withthose endpoints in the data store 210. Configuration changes may includechanges to a version of the endpoint agent 125 executing on theendpoints 120, changes to a firewall configuration, changes to ascheduled scanning frequency for scanning the endpoints for malware,disabling or enabling of various optional security features of theendpoints, changes to parameters controlling various real-timeprotection, scanning, or remediation tasks performed by the endpointagent 125, or other security-related configurations. Other commands thatcan be issued to the endpoints 120 via the API server 240 may include,for example, initiating a manual scan on an endpoint 120 or requestingstate information of an endpoint indicating, for example, an operatingsystem executing on the endpoint, an version of the endpoint agent 125executing on the endpoint, malware or vulnerabilities detected on theend point 120, remediation actions taken on the endpoint, a connectivitystate of the endpoint, or other information relating to the currentoperating state of the endpoint.

Upon the API server 240 determining to send a command to one or moreendpoints 120, the API server 240 sends a connection request message tothe pub/sub server 250 that includes a machine identifier indicating anendpoint 120 that is the target of the message. The message mayfurthermore include an identifier for an instance of the API server 240sending the message and a message identifier that uniquely identifiesthe message. In an embodiment, the message may furthermore includemessage type information indicating the type of data the API server 240wants to send to the endpoint 120 (e.g., a configuration update, ascanning command, a status request, etc.). The API server 240 may storethe message identifier to the data store 210 in association with thetargeted endpoint 210 upon sending the message.

The API server 240 may also receive a connection request from anendpoint 120 and connect to the endpoint in response to the request.Once connected, the API server 240 may send the command and associateddata (e.g., configuration data) to the endpoint 120 or receiveinformation from the endpoint. Communications between the API server 240and the endpoint 120 may utilize the commands in the API associated withthe API server 240. In an embodiment, a connection between an endpoint120 and the API server 240 is generally initiated by the endpoint inresponse to the endpoint receiving a connection request messagedescribed above, although the API server 240 may initiate the connectionin certain situations. In order to reduce bandwidth requirements of theAPI server 240, the connections with the endpoints 120 may be made onlywhen the endpoints have data to communicate to the API server 240 orwhen the endpoints request data from the API server 240. After the datais communicated, the connection may be terminated.

In an embodiment, the API server 240 and the endpoints 120 communicatewith each other using hypertext transfer protocol (HTTP) over atransport layer security (TLS) protocol. The TLS protocol providesencrypted HTTP communications that enables data privacy and ensures dataintegrity.

In some embodiments, multiple instances of the API server 240 areutilized for scalability. Each instance of the API server 240 mayperform identical functions and may operate in parallel to couple todifferent instances of the web servers 140 and to different endpoints120. Instances of the API server 240 may be dynamically generated (e.g.,as new virtual servers) as the number of endpoints 120 or other factorschange. For example, new instances of the API server may be generated asvirtual servers based on the number of endpoints 120 being administeredby the cloud server 150 as specified in the data store 210. In anembodiment, a separate control server (not shown) may control scaling ofthe number of API servers 240 based on load, configuration parameters,throughput, or other factors. For example, if a large number ofendpoints 120 are receiving an update at the same time, the controlserver may generate more instances of the API server 240 to accommodatethe increased load, and then scale back down once the action iscompleted. In an embodiment, the control server may be administered bythe third party cloud server host instead of by the enterprise in orderto reduce the administrative burden of the enterprise. Alternatively,the enterprise may control scaling of the API server 240 by eitherautomated or manual control (e.g., via the administrative client 105).

The pub/sub server 250 receives the messages from the one more instancesof the API server 240 and stores the messages in a queue. In anembodiment, the queue of the pub/sub server 250 is a first-in, first-out(FIFO) queue. Alternatively, the queue may intelligently prioritizemessages based on a type of message, the target of the message, or otherfactors. The pub/sub server 250 publishes messages from its queue tosubscribing servers which may include one or more instances of thecommunication server 260.

The communication server 260 provides message processing capabilities toprocess messages received from the pub/sub server 250. Multipleinstances of the communication server 260 can instantiated on the cloudserver 150 with each communication server serving a subset of theendpoints 120 and maintaining a list of identifiers for the endpoints itserves. The number of communication servers 260 can be scaled based onthe number of endpoints 120 and the volume of messages. In anembodiment, the number of communication servers 260 can adaptdynamically by automatically generating or terminating virtual serversbased on the number of endpoints 120 (as specified in the data store210) or other factors. In an embodiment, a separate control server (notshown) may control scaling of the number of communication servers 260based on load, configuration parameters, throughput, or other factors.The control server may send a notification to the administrative client105 indicating the change in number of communication servers 260. In anembodiment, the control server may be administered by the third partycloud server host instead of by the enterprise in order to reduce theadministrative burden of the enterprise. Alternatively, the enterprisemay control scaling of the communication servers 260 by either automatedor manual control (e.g., via the administrative client 105).

Each instance of the communication server 260 may subscribe to allmessages transmitted by the pub/sub server 250. Upon receiving amessage, the communication server 260 determines whether or not itserves the endpoint specified as the target of the message (e.g., bycomparing an identifier in the message against its stored list ofendpoint identifiers). If the communication server 260 determines thatthe message is targeted to an endpoint 120 that it serves, thecommunication server 260 transmits the message to the appropriateendpoint.

Each instance of the communication server 260 maintains a persistentconnection to the one or more endpoints 120 that it serves. Thepersistent connections between the communication server 260 and theendpoints 120 may be, for example, Web Socket connections. Thepersistent connection enables persistent connectivity and real-time ornear real-time communication from the communication server 260 to aconnected endpoint 120 without the endpoint having to request the datafrom the communication server. This enables the communication server 260to provide the messages to the endpoints 120 quickly and with very lowoverload.

Upon receiving a connection request message from the communicationserver 260, the endpoint 120 requests a connection to the API server 240that originated the message (e.g., using an identifier in the message).The endpoint 120 and API server 240 then connect and communicate therelevant data. Upon completing the data transfer, the connection betweenthe API server 240 and the endpoint 120 may be terminated.

The type of connection between the API server 240 and the endpoint 120(e.g., a HTTP over TLS connection) is typically higher latency andrequires more overhead than the persistent connection between thecommunication server 260 and the endpoint. However, the type ofconnection between the API server 240 and the endpoint 120 is bettersuited for large data transfers and beneficially ensures data privacyand integrity.

The data store 210 maintains a database specifying various informationpertaining to the endpoints 120. For example, the data store 250 storessecurity policy information for an enterprise such as, for example,parameters associated with the endpoint agents 125, firewallconfigurations, scan schedules, and scan results. The data store 210also maintains unique machine identifiers for all of the endpoints 120.The data store 210 may store, in association with each of the machineidentifiers, a state of the endpoint 120 and identifiers associated withmessages sent to the endpoint. In addition, the store 210 maintainsunique identifiers for all of the accounts that have access to thesystem via the administrative client 105.

Endpoints 120 may come online or offline at various times and maytherefore miss messages from the API server 240 if they are sent whenthe endpoint 120 is offline. When an endpoint 120 first comes online(either from an offline state or when a new endpoint is registered inthe data store 210), the endpoint may automatically request a connectionto the API server 240. The endpoint 120 may provide an identifier of thelast message it received to the API server 240 and the API server maycompare the identifier against the data store 210 to determine if theendpoint missed any messages while offline. If the API server 240determines that the endpoint 120 missed any messages, the API serverdetermines which messages were missed and sends these messages if themessages have not expired. The messages may include messages related toconfiguration changes and commands. In an embodiment, certain commandsmay expire from the data store 210 after a time period. For example, ifan endpoint 120 misses a scan command, the scan command may be canceledafter a predefined time period (e.g., 24 hours).

A benefit of the described architecture of the cloud server 150 is thatthe required bandwidth of the API server 240 may be reduced because theendpoints 120 (which may exist in very large numbers) need notconstantly poll the API server 240 for updates. Instead, the endpoints120 only connect to the API server 240 when they determine that anupdate or command is available based on the connection request messagereceived via the communication server 260. Furthermore, by utilizing acommunication server 260 with a persistent connection to the endpoint120, the messages can be communicated to the endpoints quickly withoutthe endpoints constantly polling the communication server 260. Thearchitecture also enables the number of instances of the API server 240and the number of instances of the communication server 260 to scaleindependently. The number of instances of the communication server 260is directly related to the total number of endpoints 120 that the cloudsystem is managing. If a new account is added with large number ofendpoints 120, or new endpoints 120 are deployed within an existingaccount, each of those endpoints 120 will try to establish a connectionwith the communication server 260 and that may trigger new instances ofcommunication servers 260. On the other hand, if a configuration settingis changed in an operating environment that has larger number ofendpoints 120, all of those endpoints 120 of that environment may try todownload their settings from the API server 240 at the same time whichmay increase the load on the API servers 240 and that may trigger newinstances of the API server 240. Once all the settings are downloaded,the load on the API servers 240 may reduce and thus the API server 240may again scale down back to an effective operating level.

Further still, the architecture beneficially enables updating of the APIserver 240 independently of updating of the communication server 260.The independent updating enables the cloud server 150 to be updated in amore efficient manner with less disruption to the endpoints 120 itserves.

FIG. 3 is a flow diagram illustrating an embodiment of a process forsending a command to an endpoint 120 to update a configuration orperform another specified task. A browser 220 sends 310 inputs to theweb server 140 via a web interface. The inputs may be based oninteractions by an administrator with a web page provided by the webserver 140 and may include updated configuration information or requestsfor the endpoints 120 to perform particular tasks. In some embodiments,the inputs sent from the browser 220 to the web server 140 are in aJavaScript Object Notation (JSON) format.

The web server 140 next sends 320 a command derived from the inputs tothe API server 240. The command may include associated configurationdata for updating the endpoints 120. The API server 240 determines basedon the inputs and identifiers in the data store 210 associated with theadministrative account, the machine identifiers of endpoints 120 to betargeted by the command. The API server 240 updates 325 the data store210 with the command and any associated configuration data.

The API server 240 sends 330 a connection request message to the queueof the pub/sub server 250. The connection request message comprises arequest for an endpoint 120 to connect to the API server 240 to receivethe command and any associated configuration data. The message includes,for example, the machine identifier of the endpoint 120 targeted by thecommand. The pub/sub server 250 publishes 340 the message by sending themessage to a subscribing communication server 260. The endpoint 120targeted by the configuration data is next identified 350 by thecommunication server 260. Each instance of the communication server 260maintains persistent connections to the endpoints 120 it serves. If theendpoint 120 targeted by the message is served by the communicationserver 260, the communication server 260 routes the message to thecorresponding endpoint based on the machine identifier within themessage via the persistent connection.

In response to the endpoint 120 receiving the message from thecommunication server 260, the endpoint and the API server 240 establish370 a temporary connection. The API server 240 communicates the commandto the endpoint 120 via the temporary connection. The command mayinclude, for example, configuration data to the endpoint 120 to update aconfiguration of the endpoint agent 125 based on the configuration data.Alternatively, the API server 240 may generate a command that causes theendpoint 120 to execute a task such as running a scan, providing scandata, or providing status information to the API server 240. Afterreceiving the configuration data at the endpoint 120, the endpointterminates the connection with the API server 240.

The above-described architecture and process beneficially provides acloud-based security system that can implement a security policy on alarge number of endpoints 120. An indirect communication channel to theendpoints 120 via the pub/sub server 250 and the communication servers260 provides a low overhead communication path to alert the endpoints120 when updates are available without the endpoints constantly pollingthe API server 240. The architecture is furthermore highly scalable,thus enabling an enterprise to quickly add or remove endpoints 120without substantial administrative burden.

The foregoing description of the embodiments of the invention has beenpresented for the purpose of illustration; it is not intended to beexhaustive or to limit the invention to the precise forms disclosed.Persons skilled in the relevant art can appreciate that manymodifications and variations are possible in light of the abovedisclosure.

Some portions of this description describe the embodiments of theinvention in terms of algorithms and symbolic representations ofoperations on information. These algorithmic descriptions andrepresentations are commonly used by those skilled in the dataprocessing arts to convey the substance of their work effectively toothers skilled in the art. These operations, while describedfunctionally, computationally, or logically, are understood to beimplemented by computer programs or equivalent electrical circuits,microcode, or the like. Furthermore, it has also proven convenient attimes, to refer to these arrangements of operations as modules, withoutloss of generality. The described operations and their associatedmodules may be embodied in software, firmware, hardware, or anycombinations thereof.

Any of the steps, operations, or processes described herein may beperformed or implemented with one or more hardware or software modules,alone or in combination with other devices. In one embodiment, asoftware module is implemented with a computer program productcomprising a non-transitory computer-readable medium containing computerprogram code, which can be executed by a computer processor forperforming any or all of the steps, operations, or processes described.

Embodiments of the invention may also relate to an apparatus forperforming the operations herein. This apparatus may be speciallyconstructed for the required purposes, and/or it may comprise ageneral-purpose computing device selectively activated or reconfiguredby a computer program stored in the computer. Such a computer programmay be stored in a non-transitory, tangible computer readable storagemedium, or any type of media suitable for storing electronicinstructions, which may be coupled to a computer system bus.Furthermore, any computing systems referred to in the specification mayinclude a single processor or may be architectures employing multipleprocessor designs for increased computing capability.

Embodiments of the invention may also relate to a product that isproduced by a computing process described herein. Such a product maycomprise information resulting from a computing process, where theinformation is stored on a non-transitory, tangible computer readablestorage medium and may include any embodiment of a computer programproduct or other data combination described herein.

As used herein, the terms “comprises,” “comprising,” “includes,”“including,” “has,” “having” or any other variation thereof, areintended to cover a non-exclusive inclusion. For example, a process,method, article, or apparatus that comprises a list of elements is notnecessarily limited to only those elements but may include otherelements not expressly listed or inherent to such process, method,article, or apparatus. Further, unless expressly stated to the contrary,“or” refers to an inclusive or and not to an exclusive or. For example,a condition A or B is satisfied by any one of the following: A is true(or present) and B is false (or not present), A is false (or notpresent) and B is true (or present), and both A and B are true (orpresent).

Finally, the language used in the specification has been principallyselected for readability and instructional purposes, and it may not havebeen selected to delineate or circumscribe the inventive subject matter.It is therefore intended that the scope of the invention be limited notby this detailed description, but rather by any claims that issue on anapplication based hereon. Accordingly, the disclosure of the embodimentsof the invention is intended to be illustrative, but not limiting, ofthe scope of the invention, which is set forth in the following claims.

What is claimed is:
 1. A method for updating a security policy on aplurality of endpoints in a networked computer environment, the methodcomprising: receiving, at an API server, a command includingconfiguration data for configuring the plurality of endpoints within anenterprise network; generating a connection request message identifyingthe plurality of endpoints targeted by the command; identifying, by acommunication server, a target endpoint identified by the connectionrequest message; sending, by the communication server, the connectionrequest message to the identified endpoint via a persistent connection;receiving by the API server, a connection request from the identifiedendpoint in response to the identified endpoint receiving the connectionrequest message; establishing a temporary connection between the APIserver and the identified endpoint in response to the request; andcommunicating, by the API server, the command to the identified endpointover the temporary connection.
 2. The method of claim 1, furthercomprising: updating, by the API server, a database based on thecommand, the database storing configuration information relating to theplurality of endpoints.
 3. The method of claim 1, wherein the APIserver, communication server, and pub/sub server are implemented asvirtual servers in a cloud computing environment coupled to theendpoints over a wide area network.
 4. The method of claim 1, furthercomprising: detecting a set of new endpoints joining the enterprisenetwork; responsive to the detecting the set of new endpoint, generatinga number of a new virtual server instances of the communication server,the number of new virtual server instances based on a number of the newendpoints; and assigning each of the new virtual server instances to asubset of the new endpoints.
 5. The method of claim 1, wherein thepersistent connection maintained between the communication server andthe endpoints is a WebSocket connection.
 6. The method of claim 1,further comprising: the API server receiving, from the identifiedendpoint, an identifier for the received message; performing acomparison, by the API server, of the received identifier to messageidentifiers saved in a data store associated with the identifiedendpoint; determining, at the API server, whether the identifiedendpoint missed one or more prior commands intended for the identifiedendpoint based on the comparison; and providing, by the API server, theidentified endpoint with the missed one or more prior commands.
 7. Themethod of claim 1, wherein the command comprises a command to perform atleast one of: updating an endpoint agent executing on the identifiedendpoint, updating a configuration parameter associated with an endpointagent executing on the identified endpoint, reconfiguring a firewallsetting on the identified endpoint, changing a scheduled scanningfrequency of the identified endpoint, disabling or enabling securityfeatures of the endpoint agent executing on the identified endpoint, andrequesting status information from the identified endpoint.
 8. Anon-transitory computer-readable storage medium storing instructions forupdating a security policy on a plurality of endpoints in a networkedcomputer environment, the instructions when executed by one or moreprocessors causing the one or more processors to perform stepscomprising: receiving, at an API server, a command includingconfiguration data for configuring the plurality of endpoints within anenterprise network; generating a connection request message identifyingthe plurality of endpoints targeted by the command; identifying, by acommunication server, a target endpoint identified by the connectionrequest message; sending, by the communication server, the connectionrequest message to the identified endpoint via a persistent connection;receiving by the API server, a connection request from the identifiedendpoint in response to the identified endpoint receiving the connectionrequest message; establishing a temporary connection between the APIserver and the identified endpoint in response to the request; andcommunicating, by the API server, the command to the identified endpointover the temporary connection.
 9. The non-transitory computer-readablestorage medium of claim 8, the steps further comprising: updating, bythe API server, a database based on the security policy, the databasestoring configuration information relating to the plurality ofendpoints.
 10. The non-transitory computer-readable storage medium ofclaim 8, wherein the API server, communication server, and pub/subserver are implemented as virtual servers in a cloud computingenvironment coupled to the endpoints over a wide area network.
 11. Thenon-transitory computer-readable storage medium of claim 8, the stepsfurther comprising: detecting a set of new endpoints joining theenterprise network; responsive to the detecting the set of new endpoint,generating a number of a new virtual server instances of thecommunication server, the number of new virtual server instances basedon a number of the new endpoints; and assigning each of the new virtualserver instances to a subset of the new endpoints.
 12. Thenon-transitory computer-readable storage medium of claim 8, wherein thepersistent connection maintained between the communication server andthe endpoint is a WebSocket connection.
 13. The non-transitorycomputer-readable storage medium of claim 8, the steps furthercomprising: the API server receiving, from the identified endpoint, anidentifier for the received message; performing a comparison, by the APIserver, of the received identifier to message identifiers saved in adata store associated with the identified endpoint; determining, at theAPI server, whether the identified endpoint missed one or more priorcommands intended for the identified endpoint based on the comparison;and providing, by the API server, the identified endpoint with themissed one or more prior commands.
 14. The non-transitorycomputer-readable storage medium of claim 8, wherein the commandcomprises a command to perform at least one of: updating an endpointagent executing on the identified endpoint, updating a configurationparameter associated with an endpoint agent executing on the identifiedendpoint, reconfiguring a firewall setting on the identified endpoint,changing a scheduled scanning frequency of the identified endpoint,disabling or enabling security features of the endpoint agent executingon the identified endpoint, and requesting status information from theidentified endpoint.
 15. A security system for implementing a securitypolicy on a plurality of endpoints in a networked computer environment,the security system comprising: one or more computer processors; and oneor more non-transitory computer-readable storage media, the storagemedia storing computer program instructions executable by the one ormore computer processors to perform steps comprising: receiving, at anAPI server, a command including configuration data for configuring theplurality of endpoints within an enterprise network; generating aconnection request message identifying the plurality of endpointstargeted by the command; identifying, by a communication server, atarget endpoint identified by the connection request message; sending,by the communication server, the connection request message to theidentified endpoint via a persistent connection; receiving by the APIserver, a connection request from the identified endpoint in response tothe identified endpoint receiving the connection request message;establishing a temporary connection between the API server and theidentified endpoint in response to the request; and communicating, bythe API server, the command to the identified endpoint over thetemporary connection.
 16. The security system of claim 15, the stepsfurther comprising: updating, by the API server, a database based on thecommand, the database storing configuration information relating to theplurality of endpoints.
 17. The security system of claim 15, wherein theAPI server, communication server, and pub/sub server are implemented asvirtual servers in a cloud computing environment coupled to theendpoints over a wide area network.
 18. The security system of claim 15,the steps further comprising: detecting a set of new endpoints joiningthe enterprise network; responsive to the detecting the set of newendpoint, generating a number of a new virtual server instances of thecommunication server, the number of new virtual server instances basedon a number of the new endpoints; and assigning each of the new virtualserver instances to a subset of the new endpoints.
 19. The securitysystem of claim 15, wherein the persistent connection maintained betweenthe communication server and the endpoints is a WebSocket connection.20. The security system of claim 15, the steps further comprising: theAPI server receiving, from the identified endpoint, an identifier forthe received message; performing a comparison, by the API server, of thereceived identifier to message identifiers saved in a data storeassociated with the identified endpoint; determining, at the API server,whether the identified endpoint missed one or more prior commandsintended for the identified endpoint based on the comparison; andproviding, by the API server, the identified endpoint with the missedone or more prior commands.